Article 45.2 of the eIDAS Regulation mandates support for a new kind of certificate called a Qualified Website Authentication Certificate (QWAC). Proposed EU legislation threatens to disrupt this balance.
For 18 years, Mozilla has operated its Root Program in the open, with published practices and where each proposed CA is considered on a public mailing list, ensuring that any stakeholder can be heard. In order to ensure that CAs are held to high standards, each major browser and operating system maintains their own “Root Program,” which is responsible for vetting CAs to ensure that they have acceptable issuance practices, and, where necessary, removing CAs who do not adhere to those practices. Certificates are issued by Certificate Authorities (CAs), who are responsible for verifying that a given entity controls the site in question.Ī malicious CA - or just one which did not have secure practices - could issue incorrect certificates which could then be used by attackers to attack people’s connections and steal their data. When you make a connection to a web site, say “”, that connection is protected with TLS, but TLS only protects the connection itself each server has a certificate which ensures that the server on the other end is “” and not an attacker impersonating Mozilla.
Website certificates sit at the heart of web security. Today, leading cybersecurity experts are weighing in too, in an open letter to EU lawmakers that warns of the risks that eIDAS represents to web security. Mozilla and many others have been raising the alarm in the last few months. Principle four of the Mozilla Manifesto states that “Individuals’ security and privacy on the internet are fundamental and must not be treated as optional.” We’ve made real progress on improving security on the Internet, but unfortunately, a draft law under discussion in the EU – the eIDAS Regulation – threatens to reverse that progress.
Thanks to my team mates Alessio, Bea, Chris, Travis, and Mike,Īnd also thanks to the bigger data engineering team within Mozilla.Īnd thanks to all the other people at Mozilla I work with. We will see what else I pick up along the way. I already spent some time on looking back on most of the work that happened on the Glean project last year in a This Week in Glean post,įor 2022 Glean will be about stabilizing, some new features and more widespread adoption across our products. I hope that in 2022 I will have the chance to meet some of them again, maybe even all at once. I haven't met (most of) my team mates in person since 2020. The past year continued to be challenging.Įxcept for a brief 3-week period the Berlin office stayed close, I joined Mozilla as a Firefox Telemetry Engineer in March 2018, I blogged three times already: 2019, 2020, 2021. It's been 4 years (and three days) now since I joined Mozilla as a Telemetry engineer. Mozilla Firefox 2.0.0.11 Download Now Released: Size: 5.It's my fourth Moziversary.